Windows 8 Users Lured with Fake Dedicated Security Tool

Users of soon-to-be-launched Windows 8 are being lured by a rogue Win 8 Security System, adding further headaches after the mess with the vulnerable Flash Player version in IE 10.

Windows 8 is not yet officially launched. But those tasting it via a “Release to Manufacturing” version of Windows 8 or the 90-day trial version of Windows 8 Enterprise are already exposed to several security hazards.

Crooks jumped at the chance for a good lure and advertised a security tool for the soon to be released OS. This software that allegedly solves all security issues on systems using Windows 8 is in fact a sample of the most-spread malicious piece of code to target users online – a fake AV.

At the time of writing this text, the hosting domain of this fake AV was still active, which means users remain vulnerable to this scam.

If usually rogue AV pieces sell for small sums of money, Win 8 Security System aims at a bold $99.90 fee that is probably meant to dissimulate responsibility and commitment.

Meanwhile, under the hood, this fake AV installs a rootkit driver with a self-signed certificate (either for x32 or x64 systems) in the Windows driver folder under a random name (consisting of randomly-generated characters) to monitor and manipulate the OS and, if necessary, to repair the Fake AV or hinder any legitimate security suite who might remove the bogus one.

It then starts to display the typical symptoms of an infection with rogue antiviruses, namely bombarding the user with bogus messages saying the system is not properly protected. If the victim tries to open the Action Center from the Control Panel, the malware automatically launches the fake one instead with fake flashy warnings, which are not hard-coded into the application, but rather html files downloaded from the web.

Win 8 Security System also hijacks the browser – as far as we’ve seen, it manages to subvert Internet Explorer and Google Chrome – and displays fake security warnings when the user browses the web or opens applications. It crashes the used app displaying an error claiming that a virus has just attacked the system.

The fake Win 8 Security System creates on the Desktop and in the “%start menu%\Programs\Win 8 Security System” a shortcut of a folder called Buy Win 8 Security System.lnk to lead the victim either to the online buy page or the Windows command-line registry editor.

And this fake AV is lurking around just as the security community gives users numerous warning notices about the notorious Microsoft decision of embedding in W8’s IE 10 in a vulnerable version of the Flash Player instead of going with the safer autonomous third-party plug-in.

Unlike in Windows 7 and earlier versions, Windows 8 users cannot automatically update the version of Flash into their browser. For that they need to go to the Adobe support page, look for the updates and manually install them.

This article is based on the technical information provided courtesy of Doina Cosovan, Bitdefender Virus Analyst.